Sites hosted by Cloudflare leaked personal data

Although personal data has been leaked thanks to a bug in CloudFlare, the company is collaborating with Google to clean up the mess. The clean process is an on-going matter.

Cloudflare Inc has reported that a bug in its software has exposed personal data in hundreds of thousands of websites it hosts. It has reported that hackers have not exploited the vulnerability to access the personal data.

As per Google researchers, the vulnerability has been attributed to a bug in Cloudflare’s software which sends streams of unrelated data to users’ browsers when they visited sites hosted by Cloudflare.

John Graham-Cumming, Cloudflare’s Chief Technology Officer John has clarified that issue has been resolved and most of the data leak has been removed from Google’s cache.

“We’ve seen absolutely no evidence that this has been exploited,” said Cumming. “It’s very unlikely that someone has got this information.”

Although the data leak was active from September 22, on February 13 sites hosted by Cloudflare were most affected. The vulnerability was discovered on February 18.

At its peak, 120,000 webpages were affected every day, said Graham-Cumming.

As per Tavis Ormandy, a Google security researcher who discovered the bug, a portion of the leaked data included “private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings” as well as software keys and passwords.

Ormandy also disclosed on Twitter that data from Uber 1Password, a cloud-based password saving company had also been leaked.

While Uber declined to comment on the report, AgileBits, the creator of 1Password, denied in a blogpost that any personal data had been compromised.

Significantly, Graham-Cumming disclosed that although Cloudflare and Google were collaborating to remove the sensitive leaked data from the Google’s cache index, the process is yet to be completed, which is why researchers are still finding the leaked data, if they know where to look.

Many security researchers have chastised Cloudflare saying the problem is more serious than what Cloudflare is stating it to be.

Jonathan Sublett of Shield Maiden, an internet security company, said in a blog post that sites hosted by Cloudflare “should consider their data public and work towards securing their accounts”.